Cyber Security Policy Manual

CYBER SECURITY POLICY MANUAL

PREPARED BY IT CYBER SECURITY DIVISION Information Technology Department

Cyber Security Policy Manual City of Greensboro, NC Cyber Security Division

T ABLE OF C ONTENTS

DOCUMENT INFORMATION

4

APPROVAL DETAILS

5

CYBER SECURITY & COMPLIANCE POLICY

6

P URPOSE

6 6 6 7 7

S COPE

D EFINITIONS

R OLES AND RESPONSIBILITIES

P OLICY

VULNERABILITY MANAGEMENT POLICY

10

P URPOSE

10 10 10 10 10

S COPE

D EFINITIONS

R OLES AND RESPONSIBILITIES

P OLICY

PATCH MANAGEMENT POLICY

13

P URPOSE

13 13 13 13 14

S COPE

D EFINITIONS

R OLES AND RESPONSIBILITIES

P OLICY

DATA CLASSIFICATION POLICY

15

P URPOSE

15 15 15

S COPE

D EFINITIONS

Cyber Security Policy Manual

1

R OLES AND RESPONSIBILITIES

15 16

P OLICY

ENCRYPTION POLICY

19

P URPOSE

19 19 19 19 20

S COPE

D EFINITIONS

R OLES AND RESPONSIBILITIES

P OLICY

REMOTE ACCESS POLICY

21

P URPOSE

21 21 22

S COPE P OLICY

USER PROVISIONING POLICY

24

P URPOSE

24 24 24 24 25

S COPE

D EFINITIONS

R OLES AND RESPONSIBILITIES

P OLICY

MOBILE DEVICE POLICY

27

P URPOSE

27 27 27 27 27

S COPE

D EFINITIONS

R OLES AND RESPONSIBILITIES

P OLICY

NETWORK ACCESS POLICY

30

P URPOSE

30 30 30 30

S COPE

R OLES AND RESPONSIBILITIES

P OLICY

CYBER SECURITY INCIDENT RESPONSE PROCEDURE

32

Cyber Security Policy Manual

2

P URPOSE

32 32 32 33 33

S COPE

D EFINITIONS

R OLES AND RESPONSIBILITIES

P ROCEDURE

INFORMATION SECURITY MANAGEMENT SYSTEM (ISMS) POLICY

36

P URPOSE

36 36 36 37 37 37 39 40 40 40 41 41 41 42 42 43

S COPE

R OLES AND RESPONSIBILITIES

I NTRODUCTION

S COPE S TATEMENT

E XTERNAL /I NTERNAL I SSUES

I NTERESTED P ARTIES

I NTERFACES AND D EPENDENCIES

I NFORMATION S ECURITY M ANAGEMENT S YSTEM

L EADERSHIP AND C OMMITMENT

P LANNING

C HANGES TO P OLICIES , P ROCESSES AND P ROCEDURES

C OMMUNICATIONS I NTERNAL A UDIT

M ANAGEMENT R EVIEW

C ONTINUAL I MPROVEMENTS

CARD PAYMENT HANDLING POLICY

44

P URPOSE

44 44 44 45

S COPE

R OLES AND RESPONSIBILITIES

P OLICY

POLICY ENFORCEMENT

47

POLICY COMPLIANCE

47

POLICY EXCEPTIONS

47

Cyber Security Policy Manual

3

D OCUMENT I NFORMATION

Policy Name: Cyber Security Policy Manual Document Reference Number: GSO-CSPM-001 Version : 1.7 Effective from : 3/1/2018 Document Change History and Revision Control

Version

Sections Revised

Description of Revision

Changed By

Date

1.0

All

-

Initial Document Creation

Cyber Security Team Cyber Security Team Cyber Security Team

2/7/2018

1.1

-

Updated Social Media Policy

2/4/2019

1.2

-

Updated the internal audit section of the ISMS policy Added Card Payment Handling Policy Updated password configuration in User Provisioning Policy Provided updates to Social Media Policy

1/28/2020

-

-

1.3

-

Law & Compliance Team

5/13/2020

1.4

-

Updated Vulnerability Management Policy

Cyber Security Team

1/29/2021

1.5

-

Updated Mobile Device Policy

Cyber Security Team

1/31/2023

1.6

All

-

Updated roles and responsibilities throughout the policy Removed Social Media Policy

Cyber Security Team

2/16/2024

-

1.7

-

Updated ISMS policy to reflect compliance to ISO27001:2022

Cyber Security Team

2/17/2025

-

Removed Supplier Risk Management Policy

Cyber Security Policy Manual

4

A PPROVAL D ETAILS

Reviewed & Approved By

Role

Signature

Date

Rodney Roberts

Chief Information Officer

02/25/2025

Naser Yasin

Chief Information Security Officer

02/25/2025

Cyber Security Policy Manual

5

C YBER S ECURITY & C OMPLIANCE P OLICY

P URPOSE The purpose of this policy is to define the principles by which the City of Greensboro will protect the confidentiality, integrity and availability of systems and information and ensure compliance with data privacy laws and industry regulations. Protecting systems and information and ensuring compliance with laws and regulations is fundamental to the successful operation of the City of Greensboro.

S COPE This policy applies to:

1) All Information Technology assets leased, owned and operated by the City of Greensboro 2) All data stored, processed and transmitted by City of Greensboro systems and applications 3) All City of Greensboro employees, contractors, and consultants

D EFINITIONS Confidential Information

The type of information that if lost or stolen could severely impact the City of Greensboro and its employees and residents. Examples include personal identifiable information, credit card numbers, bank account numb ers, users’ names and passwords Improving the reliability of a system or application to make it always available for employees, residents and partners

Availability

OWASP

Open Web Application Security Project – Defines security standards to follow to develop and implement secure web applications

PCI

Payment Card Industry standards designed to ensure that companies that process, store or transmit credit card information maintain a secure environment Health Insurance Portability and Accountability Act – a US legislation that provides data privacy and security provisions for safeguarding medical information

HIPPA

Cyber Security Policy Manual

6

R OLES AND RESPONSIBILITIES Function

Responsibility

Chief Information Officer

Support efforts to ensure that proper security controls are implemented to protect the City of Greensboro’s systems and information and comply with data privacy laws and industry regulations security management to ensure that information security controls are defined and implemented to protect City of Greensboro systems and information and comply with data privacy laws and industry regulations - Communicate risks and mitigation recommendations to IT and City management and define, implement and manage security controls to protect City of Greensboro systems and information Adhere to all security policies and controls that have been implemented to protect City of Greensboro systems and information - Provide strategic direction and information

Cyber Security Team

All employees, contractors, and consultants

P OLICY 1) Systems and applications must be protected against network intrusions and cyber-attacks that aim at compromising the confidentiality, integrity and availability of City of Greensboro information. Network detection and prevention controls must be implemented to identify and stop these intrusions and cyber-attacks. 2) Access control mechanisms must be implemented to ensure that access to systems and information is provided to users that have been authorized and approved. Unauthorized access attempts to systems and information must be detected and blocked. 3) Vulnerability assessments must be conducted regularly to identify and mitigate system and application vulnerabilities that could be exploited by unauthorized users to gain access to confidential information. Critical vulnerabilities must be mitigated in a timely manner to protect City of Greensboro systems and information. 4) Security patch management process must be implemented to provide efficient and reliable method for the assessment, testing and implementation of security patches to systems, applications and network devices. The process must ensure that security patches are

Cyber Security Policy Manual

7

implemented in a timely manner to effectively mitigate the risk to City of Greensboro’s systems and information. 5) Encryption controls must be implemented to protect the confidentiality and integrity of confidential information being processed by, transmitted through, and stored in City of Greensboro’s systems and applications. Encryption keys must be protected from unauthorized access and disclosure. 6) An information classification model must be defined to provide a framework for categorizing data collected, stored and managed by the City of Greensboro and securing this data from risks including unauthorized access, destruction, modification, disclosure, use and removal. 7) Information security controls must be implemented to ensure that all employees obey laws, regulations, and City policies when using IT resources. This includes copyright laws, software-licensing agreements, data privacy and protection laws and standards including HIPPA and PCI, and contractual requirements related to intellectual property rights and use of proprietary software products . C ontrols must also be implemented to protect the confidentiality of personal identifiable information, personal health information, and financial information. 8) Change management process must be implemented to manage change to IT infrastructure including hardware, software, and services and ensure the availability of systems and applications by minimizing risk and disruption to IT infrastructure caused by change. 9) Secure configuration standards must be defined and implemented for workstation, servers, databases, and network devices to protect systems and information from unauthorized access and disclosure of confidential information. 10) Incident management process must be implemented to ensure that information security incidents are properly reported and appropriately investigated. The process must outline the activities required to successfully manage incidents from reporting to closure. 11) Secure software development process must be defined and implemented to ensure that secure coding practices are followed when designing and developing applications. These practices protect confidential information from unauthorized access or modification and ensure the continuous availability of systems and applications to City of Greensboro employees, residents and partners. 12) Continuity of operations plans must be defined and implemented to ensure the availability of systems and applications in the event of a disaster. The plans must include recovery procedures for systems and applications and must be tested regularly to identify and mitigate any potential gaps. 13) Information security training must be provided to all City of Greensboro employees regularly to promote good security practices and educate employees about threats and countermeasures to protect City of Greensboro’s systems and information. Information security training must also be provided to application developers to ensure that developed

Cyber Security Policy Manual

8

applications address the OWASP top 10 vulnerabilities. IT personnel must also be trained on using advanced analysis and forensics techniques to identify and remove Malware infections in systems and applications. 14) Risk assessments must be conducted regularly to identify risks to City of Greensboro’s systems and information and implement controls to mitigate identified risks. The risk assessment must take into considerations business objectives, compliance changes and evolving security threats. City of Greensboro information security strategy must be defined according to identified risks and must focus on minimizing these risks to an acceptable level. 15) The City of Greensboro must undergo annual Payment Card Industry (PCI) audits to ensure that proper security controls are implemented to protect credit card information traversing the City’s systems and network. 16) IT compliance program must be established to ensure compliance to laws, regulations, policies and standards. Monthly, quarterly, semi-annually and annual compliance activities must be conducted to identify and mitigate compliance deficiencies.

Cyber Security Policy Manual

9

V ULNERABILITY M ANAGEMENT P OLICY

P URPOSE New technology vulnerabilities emerge on daily basis. It is essential to identify and mitigate these vulnerabilities to protect the City’s systems and applications and safeguard confidential information. For this reason, vulnerability scans must be conducted on regular basis to ensure that system and application vulnerabilities are identified, assessed, communicated and mitigated in a timely manner.

S COPE This policy applies to:

1) All City of Greensboro IT employees, contractors, consultants. 2) All IT resources including software, network devices, servers, workstations, and storage media.

D EFINITIONS Vulnerability

A weakness that, if exploited, allows an attacker to gain access and take control of a system Conducting security checks to identify weaknesses in systems and applications

Scan

R OLES AND RESPONSIBILITIES Function

Responsibility

Cyber Security Team

1. Conduct vulnerability scans to identify vulnerabilities and configuration weaknesses in systems and applications 2. Provide vulnerability mitigation recommendations to IT Administrators Ensure that identified vulnerabilities are mitigated in a timely manner as described in bullet 5 of the policy

IT Administrators

P OLICY 1) The Cyber Security Team is authorized to conduct vulnerability assessments against all systems and applications connected to the City’s network to identify vulnerabilities and configuration weaknesses. This is required to protect the City’s systems and information from threats and cyber-attacks and comply with all applicable laws and regulations.

Cyber Security Policy Manual

10

2) All systems and applications connected to the City’s network are subject to these assessments, whether or not they are owned or operated by the City of Greensboro. 3) To ensure that vulnerability scans are comprehensive and accurate, scans maybe conducted using an authenticated method. During this method, the vulnerability scanning software logs into the system or application with administrator-level access. 4) The Cyber Security Team requires IT Administrators to review the results of vulnerability scans and evaluate, test and mitigate system and application vulnerabilities appropriately. 5) The timely and consistent mitigation of a reported vulnerability is critical in protecting the City’s systems, applications and data from damage or loss due to threats such as Malware, cyber-attacks or other forms of external and internal threats. For this reason, identified vulnerabilities must be mitigated in accordance with the specific timeframes described here: a. Critical - denotes a vulnerability that an attacker can easily exploit to gain access to a critical system, application or confidential information. These types of vulnerabilities must be mitigated within 1 week. b. Severe - denotes a vulnerability that an attacker could exploit to gain access to a system, application or confidential information. While this class of vulnerabilities is extremely serious, the risk of a breach or compromise is not as urgent as with a critical vulnerability. These types of vulnerabilities must be mitigated within 1 month. c. Moderate - denotes a vulnerability that may allow an attacker to gain access to specific information stored on the system including system settings. The vulnerability allows an attacker to gain access to information that may be used to compromise the system in the future. These types of vulnerabilities must be mitigated within 2 months. d. Low – denotes a vulnerability that may allow an attacker to gain access to system information such as installed software and version numbers. This information can be used in launch various types of reconnaissance attacks against the system in an attempt to gather additional information to gain access to it. These types of vulnerabilities must be mitigated within 3 months . 6) IT Administrators must work with Cyber Security Team to conduct vulnerability assessment against new systems and applications before production migration. 7) In the event of a security vulnerability or incident, devices maybe removed from the network or isolated. IT Administrators will be contacted to identify and resolve the issue. 8) If applicable, system configuration standards must be updated by IT Administrators as new vulnerability issues are found. 9) Vulnerability scans must be conducted frequently and based on the following factors: a. Incident-response scan – An on demand sca n initiated as a result of a specific security related incident.

Cyber Security Policy Manual

11

b. Admin Requested – The system owner with administrative authority over the equipment may request vulnerability scans as a part of the Change Management Process. c. Web Application Scan – Conducted monthly against all public facing web applications. d. PCI DSS Scan – Conducted monthly against all external systems and applications to ensure that payment card systems are not vulnerable to compromise. e. Internal Environment Scanning – Conducted bi-weekly against all internal systems and applications. 10) Should an IT Administrator identify a reported vulnerability as a potential false positive, the Cyber Security Team must be engaged to verify. 11) Vulnerabilities and other policy violations must be resolved by communicating to the user of record, with denial of network access reserved as a last resort. Compromises and other security breaches must follow the City of Greensboro’s Incident Response Policies and related documents.

Cyber Security Policy Manual

12

P ATCH M ANAGEMENT P OLICY

P URPOSE Patch management is a critical part of maintaining the security of systems, applications and network infrastructure. It is a vital component of the City’s cyber security program. Security vulnerabilities are inherent in systems and applications, which allow the development and propagation of Malware that can disrupt the City’s operations in addition to placing confidential data at risk. This policy ensures that there is a process in place to provide efficient and reliable method for the assessment, testing and deployment of software patches to all systems, applications and network devices. The process will ensure patches are deployed in a timely manner to effectively mitigate the risk to the City. S COPE This policy applies to: 1) All City of Greensboro IT employees, contractors, consultants. 2) All IT resources including software, network devices, servers, workstations, and storage media.

D EFINITIONS Vulnerability

A weakness that, if exploited, allows an attacker to gain access and take control of a system A software update designed to fix a vulnerability in a system or application

Patch

R OLES AND RESPONSIBILITIES Function

Responsibility

Cyber Security Team

1) Conduct vulnerability scans to identify missing patches in systems, applications and network devices 2) Communicate the results to IT Administrators Ensure that security patches are tested and deployed to systems, applications and network devices in a timely manner

IT Administrators

Cyber Security Policy Manual

13

P OLICY 1) IT Administrators must review, evaluate, and appropriately apply security updates and software patches to systems, applications and network devices in a timely manner. If patches cannot be applied in timely manner due to hardware or software constraints, other mitigating controls must be evaluated and implemented to reduce the risk to an acceptable level. 2) In order to protect the City’s systems, applications and confidential information, IT Administrators must apply security updates and software patches in accordance with the specific timeframes here: a. For critical or out of band updates (emergency cycle) – security updates and software patches must be tested for 2 days and then deployed to all production systems and applications immediately after. b. For important updates or updates that are released within the normal window (normal cycle) – security updates and software patches must be tested for 2 weeks and then deployed to all production systems and applications immediately after. 3) In the event of a security vulnerability or incident, devices may be removed from the network or isolated. IT Administrators will be contacted to identify and resolve the issue. 4) Each vulnerability alert and patch release must be evaluated to ensure that it applies to the City’s systems and applications prior to taking any action in order to avoid unnecessary patching. 5) Automated tools must be used to deploy security updates and software patches to systems and applications. Manual patching is acceptable for critical systems and applications. 6) Vulnerability scans must be conducted against all systems, applications and network devices to identify vulnerabilities related to missing security updates and software patches. The scan results must be evaluated and communicated to IT Administrators. IT Administrators must mitigate all identified vulnerabilities according to the timeframes defined in the Vulnerability Management Policy. 7) All security updates and software patches must be tested prior to deployment to production systems and applications. 8) IT Administrators must ensure that all systems, applications and network devices are fully patched before production migration. 9) A back out plan that allows safe restoration of systems and applications to their pre-patch state must be devised prior to security update and software patch deployments. The plan can be executed in the event that the patch has unforeseen effects.

Cyber Security Policy Manual

14

D ATA C LASSIFICATION P OLICY

P URPOSE Data classification is the classification of data based on its level of sensitivity and the impact to the City should that data be destroyed, modified or disclosed without authorization. The purpose of this document is to provide a framework for categorizing data collected, stored, and managed by the City, and securing this data from risks including unauthorized destruction, modification, disclosure, access, use, and removal. S COPE This policy applies to: 1) All City of Greensboro employees, contractors, and consultants. 2) All IT resources include, but are not limited to, mobile devices, software applications, network devices, printers, servers, workstations, and storage media.

D EFINITIONS CVV

Authentication procedure established by credit card companies to further efforts towards reducing fraud for internet transactions Firewall rules that defines allowed and denied IP addresses and protocols Intrusion prevention system that detects and blocks intrusion and cyber-attacks against systems and application A standard security technology for establishing an encrypted link to allow for the secure transmission of data

Ruleset

IPS

SSL

R OLES AND RESPONSIBILITIES Function

Responsibility

Cyber Security Team

1) Define the classification model 2) Define the required security controls to protect the classified data 3) Provide user awareness and training about proper data handling 1) Classify data according to data classification model defined in this policy 2) Ensure the proper security controls are in place to protect the classified data

Data Owners

Cyber Security Policy Manual

15

Data User

Handle classified data in accordance with the rules and guidelines defined in this policy

P OLICY 1) Since the classification of data helps determine the appropriate security controls to implement in order to protect the data, all City’s data must be classified into one of the following categories: e. Confidential – this type of data could cause significant impact to the City if destroyed, modified or disclosed without authorization. Examples of confidential data include: o Personally Identifiable Information (PII) – this include name, social security

number, date of birth, state- issued driver’s license number, and other personal characteristics that would make the person easily identifiable. o Payment Card Information – this includes cardholder name, credit card number, service code, expiration date, CVV, PIN, and content of credit card magnetic stripe. o Protected Health Information (PHI) – this include any information about health status, provision of health care, or payment for health care that can be linked to a specific individual. o SCADA and critical infrastructure documents o Other data types that must be protected in accordance with state and federal regulation.

f. Public – this type of data could cause low impact to the City if destroyed, modified or disclosed without authorization. Examples of public data include: o Any information that can be made public through the Public Information Request Tracking (PIRT) system o Publicly accessible websites o Data posted on blogs and other social media outlets o Press releases posted on public websites 2) The classified data must be handled based on the following table. The table also defines the required security controls to protect the classified data

Security Control Category

Data Classification

Confidential

Public

Cyber Security Policy Manual

16

Access Control

- Viewing and modification restricted to authorized individuals as needed for business-related roles - Data Owner or designee grants permission for access. Access requires approval from supervisor - Authentication and authorization required for access - Third Party Access Policy is required for third-party access - Data should only be printed when there is a legitimate need - Copies must be limited to individuals authorized to access the data - Data should not be left unattended on a printer/fax - Encryption required (i.e. SSL or secure file transfer protocols) - Cannot transmit via e-mail unless encrypted - Must use encrypted USB drives if being transported to outside entities - Protection with a network firewall using "default deny" ruleset required - Must reside on isolated segment separate from the internal network - IPS required - Servers hosting the data cannot be visible to the Internet, nor to unprotected subnets on the City’s network - The firewall ruleset must be reviewed periodically

- No restriction for viewing - Authorization by Data Owner or designee required for modification

Copying and Printing

- No restrictions

Transmission

- No restrictions

Network Security

- May reside on a public network but protected with a firewall and IPS system

Cyber Security Policy Manual

17

Data Storage

- Storage on a secure server required - Storage in Secure Data Center required - Must not store on an individual workstation or mobile device - Cannot be stored on a USB drive - Server must be configured according to server secure configuration standards

- Storage on a secure server required - Storage in Secure Data Center required

System Security

- Server must be configured according to server secure configuration standards

3) Data owners are responsible for classifying their data and ensuring the proper security controls are in place to protect the classified data. Data owners are also responsible for ensuring that proper labelling is placed on IT equipment where confidential data is stored.

Cyber Security Policy Manual

18

E NCRYPTION P OLICY

P URPOSE The purpose of this policy is to define the encryption standards and provide guidance on the use of encryption technologies to protect the confidentiality and integrity of information being processed by, transmitted through, and stored on City of Greensboro’s systems and applications. S COPE This policy applies to: 1) All Information Technology assets owned and operated by the City of Greensboro. 2) All employees, contractors and consultants.

D EFINITIONS AES

Advanced Encryption Standards - specification for encrypting data established by National Institute of Standards and Technology (NIST) Secure Hash Algorithm – a hashing function used to mask confidential information in systems and applications. The SHA specification was established by National Institute of Standards and Technology (NIST) Secure Socket Layer - a standard security technology for establishing an encrypted link between a server and a client The key length (measured in bits) of the key used in a cryptographic algorithm. A 256-bit key length is extremely difficult to crack The type of information that if lost or stolen could severely impact the City of Greensboro and its residents. Examples include personal health information, bank account numbers, passwords, personally identifiable information and credit card information

SHA

SSL

256-bit

Confidential Information

R OLES AND RESPONSIBILITIES Function

Responsibility

Cyber Security & Compliance Officer Define data encryption standards to protect City’s confidential information Cyber Security Analyst Monitor systems and applications to ensure compliance to data encryption standards IT Administrators Encrypt data at rest and in transmit according to the standards defined in this policy

Cyber Security Policy Manual

19

City Employees

Follow the encryption standards defined in this policy to prevent unauthorized access to confidential information

P OLICY 1) All implemented encryption standards must support a minimum encryption level of AES 256-bit encryption. Hashing functions must support a minimum hashing level of SHA2 256 bit. 2) Encryption is required when remotely accessing City of Greensboro’s systems and applications via Citrix XenApp, VPN, remote desktop or other remote access tools. 3) Trusted SSL certificates must be used when allowing resident’s access to City of Greensboro’s web applications. 4) If transferring confidential information to third-party via email or other file transfer methods, SSL certificates, email encryption or secure file transfer protocols must be used to protect confidential information from becoming compromised. 5) Confidential information residing in databases must be hashed to prevent unauthorized access to it. 6) The use of proprietary encryption algorithms is not permitted. 7) File and folder encryption must be implemented on laptops that contain confidential information in order to prevent unauthorized access to the information if the laptop is lost or stolen. 8) Encrypted USB drives must be used if there is a business need to copy confidential information on USB drives. This prevents unauthorized access to the information if the USB drive is lost or stolen. 9) Encryption keys and passwords must be stored in a safe location. Access to encryption keys and passwords must be restricted to the individuals that have administrative privileges to the systems and applications where these keys are used.

Cyber Security Policy Manual

20

R EMOTE A CCESS P OLICY

P URPOSE The purpose of this policy is to define rules and requirements for connecting to the City of Greensboro's network from any host. These rules and requirements are designed to minimize the potential exposure to the City of Greensboro from damages which may result from unauthorized use of City of Greensboro resources. Damages include the loss of sensitive or City of Greensboro confidential data, intellectual property, damage to public image, damage to critical City of Greensboro internal systems, and fines or other financial liabilities incurred as a result of those losses. This is not a substitute policy for telecommuting employees. There is a separate Telecommuting Policy (Policy B-17 in the online Personnel Policy Manual) for those employees who telecommute on a regularly scheduled basis. S COPE This policy applies to all City of Greensboro employees, including full-time staff, part-time staff, contractors, consultants, vendors, trainers, temporary staff and the like who utilize City-owned computers to remotely access the organi zation’s data and networks. Employment at the City of Greensboro does not automatically guarantee the granting of remote access privileges. The City reserves the right to inspect the home workspace during work hours to ensure required conditions are met. The inspection will be conducted by a member of the Human Resources Department in the Health & Safety Division who should be accompanied by the employee’s department Human Resources Representative (HR Rep) and the employee’s supervisor or manager. Any non-exempt employee working overtime (i.e. checking email/voice mail messages) without prior approval from the supervisor may be denied further remote access privileges and be subject to corrective action up to and including dismissal. Any overtime worked after general scheduled hours will be compensated as required by FLSA. Any and all work performed for the City of Greensboro on said computers by any and all employees, through a remote access connection of any kind, is covered by this policy. Work can include (but is not limited to) e-mail correspondence, Web browsing, utilizing intranet resources, and any other City applications used over the Internet. Remote access is defined as any connection to the City of Greensboro’s network and/or other applications fro m off- site locations, such as the employee’s home, a hotel room, airports, cafés, satellite office, wireless devices, etc.

Non-City Owned Computers include employee owned laptops and home computers. Non-City owned computers can present risks to the City’s systems and applications. For example, Malware

Cyber Security Policy Manual

21

hidden on a non-City computer that is used to access City resources can record all keystrokes entered, including your City’s username and password, then use the information to gain unauthorized access to the City’s systems and sensitive information.

Non-City Owned Computers can only be used to access:  Exchange Webmail access

Non-City Owned Computers cannot be used for:  Access to internal City systems and applications  Access to the City via VPN  Saving email and attachments when using Exchange Webmail

P OLICY It is the responsibility of City of Greensboro employees, contractors, consultants, vendors, trainers, temporary staff and the like with remote access privileges to City of Greensboro's network to ensure that their remote access connection is given the same consideration as the user's on-site connection to the City of Greensboro. General access to the Internet for recreational use through the City of Greensboro network is strictly limited to City of Greensboro employees, contractors, vendors and agents (hereafter referred to as “Authorized Users”). When accessing the City of Greensboro network from a personal computer, Authorized Users are responsible for preventing access to any City computer resources or data by non-Authorized Users. Performance of illegal activities through the City of Greensboro network by any user (Authorized or otherwise) is prohibited. The Authorized User bears responsibility for and consequences of misuse of the Authorized User’s access. For further information and definitions, see the Information Technology Acceptable Use Policy . 1) Employees will use secure remote access procedures. This will be enforced in accordance with the City of Greensboro’s Password Policy. Employees agree to never disclose their passwords to anyone, particularly to family members if business work is conducted from home. 2) All hosts that are connected to the City of Greensboro internal networks via remote access technologies must use the most up-to-date anti-virus software, this includes personal computers. Third-party connections must comply with requirements as stated in the Third Party Access Policy . 3) Remote users using public hotspots for wireless Internet access must employ for their devices a personal firewall, VPN, and any other security measure deemed necessary by the IT department. VPNs supplied by the wireless service provider should also be used, but only in conjunction with the City’s additional security measures.

Cyber Security Policy Manual

22

4) Employees, contractors, consultants, vendors, trainers, temporary staff and the like will make no modifications of any kind to the remote access connection without the express approval of the City’s IT department. This includes, but is not limited to, split tunneling, dual homing, non-standard hardware or security configurations, etc. 5) Employees, contractors, consultants, vendors, trainers, temporary staff and the like with remote access privileges must ensure that their computers are not connected to any other network while connected to the City’s network via remote access, with the obvious exception of Internet connectivity. 6) In order to avoid confusing official City of Greensboro business with personal communications, employees, contractors, consultants, vendors, trainers, temporary staff with remote access privileges must never use non-City e-mail accounts (e.g. Hotmail, Yahoo, etc.) to conduct City of Greensboro business. 7) No employee is to use Internet access through City networks via remote connection for the purpose of illegal transactions, harassment, competitor interests, or obscene behavior, in accordance with other existing employee policies. The City of Greensboro employee bears responsibility for the consequences should the access be misused. 8) All remote access connections mu st include a “time - out” system. Time -outs will require the user to reconnect and re-authenticate in order to re-enter City networks. 9) If a personally- or City-owned computer or related equipment used for remote access is damaged, lost, or stolen, the authorized user will be responsible for notifying their manager and the City’s IT department immediately. 10) The remote access user also agrees to immediately report to their manager and the City’s IT department any incident or suspected incidents of unauthorized access and/or disclosure of City of Greensboro resources, databases, networks, etc. 11) The remote access user also agrees to and accepts that his or her access and/or connection to the City of Greensboro’s networks may be monitored to record dates, times, du ration of access, etc., in order to identify unusual usage patterns or other suspicious activity. As with in-house computers, this is done in order to identify accounts/computers that may have been compromised by external parties.

Cyber Security Policy Manual

23

U SER P ROVISIONING P OLICY

P URPOSE The purpose of this policy is to define the access control principles for creating and removing user accounts and granting access to systems and applications to protect the City of Greensboro’s systems and information from unauthorized access and disclosure. S COPE This policy applies to: 1) All information technology assets owned and operated by the City of Greensboro 2) All City of Greensboro Employees 3) All City of Greensboro Suppliers, contractors and consultants

D EFINITIONS Authentication

The process of identifying an individual based on username and password. It ensures that the individual is who he/she claims to be The process of granting or denying access to a network resource based on user identity. It ensures that only authorized users gain access to network resources The process of keeping track of user’s activities while accessing network resources. It identifies malicious behavior on the network and helps with trend analysis, planning and auditing An approach to restricting system and application access to authorized users based on the role they hold at the City

Authorization

Accounting

Role-based access control

R OLES AND RESPONSIBILITIES Function

Responsibility

Cyber Security Team

1. Review requests for privileged and service accounts and approve/deny these requests 2. Monitor and review the use of privileged accounts 3. Conduct reviews of accounts and passwords to ensure compliance with policy 4. Ensure that accounts provisioned adhere to the policy

Cyber Security Policy Manual

24

IT Administrators

1. Configure password parameters in systems and applications according to the password configurations defined in this policy 1. Reset account passwords if needed 2. Troubleshoot failed logins and other account login issues

IT Service Desk

P OLICY 1) Requests for account creation and system access must be made through the IT Service Desk at 373.2322. The IT Service Desk must assign requests related to account creation and system access to the Cyber Security Analyst. 2) Requests for privileged and service accounts must be reviewed and approved by the Cyber Security Team. 3) Employees, consultants and contractors must complete, agree to and sign the Third Party Access Policy before an account is created. 4) User account must be unique and have an owner assigned to it to ensure that access to systems and applications is restricted by unique user account. 5) User account must follow the naming standard that complies with the City of Greensboro naming standard requirements (Lawson ID or Last Name, First Initial). 6) Access rights must be provided following the principles of least privilege and need to know. 7) Role-based access control must be used to ensure that users are assigned the proper access. Division Managers must determine the proper role to assign to each user in order to perform their job function within the system or application. Role security (if available) must be used to ensure that users have the proper access to tasks and functions within the system or application. 8) Identification, authorization and accounting mechanisms must be implemented to securely link users with access rules and prevent unauthorized access to systems and applications. 9) Access to confidential information must be restricted to authorized users whose job responsibility requires it as determined by Division Managers. 10) User password length must be a minimum of 14 characters. 11) Users must change their passwords every 365 days. 12) User account must be locked out after 5 failed login attempts with lockout duration set to forever or until the IT Service Desk or local IT team unlocks the account. 13) Users must keep their passwords secure and they must not write them down or share them with anyone. Passwords must be changed immediately if compromised or suspected of being compromised. 14) IT Service Desk or local IT team must use secure methods to communicate passwords to users. 15) Passwords must be encrypted or hashed when stored in the system or application.

Cyber Security Policy Manual

25

16) Users have the ability to reset their passwords using the City’s password reset tool. If the IT Service Desk or local IT team is required to reset user’s password, they must verify the user identity and provide the user with a temporary password to be changed upon user logging into the system or application. 17) Accounts for terminated users must be disabled immediately upon receiving a notification from Human Resources or Division Managers or Supervisors or Technology Liaisons. Disabled accounts must be removed after 30 days unless specified otherwise. 18) Upon termination, Human Resources or Division Managers or Supervisors or Technology Liaisons must ensure that access badges and technology assets are collected from terminated employees. 19) All account creation, deletion, and privilege change activities must be logged and reviewed on regular basis. Failed and successful login attempts must also be logged and reviewed on regular basis to identify unauthorized login attempts.

Cyber Security Policy Manual

26

M OBILE D EVICE P OLICY

P URPOSE Mobile Devices have evolved as powerful computing devices with access to many systems and applications. For the City of Greensboro, mobile devices enable powerful capabilities including access to sensitive City information that must be protected. Mobile devices also represent an asset with significant costs, which must be managed wisely. This policy provides rules that must be followed to protect the City’s systems and information when using Mobile Devices. S COPE This policy applies to all City of Greensb oro employees that use mobile devices to access the City’s systems and applications.

D EFINITIONS MDM

MDM stands for Mobile Device Management. It’s used to help secure mobile devices and protect access to the City’s systems and application Refers to smart phones (e.g., iPhone, Galaxy S) and tablets (e.g., iPad, Surface) Altering the device operating system for the purposes of removing or circumventing restrictions

Mobile Device

Rooted or Jail-broken

R OLES AND RESPONSIBILITIES Function

Responsibility

Cyber Security Division

4) Ensure that mobile devices adhere to the rules defined in this policy 5) Block access to mobile devices that do not comply with this policy

City Employees

3) Adhere to the rules defined in this policy

P OLICY 1) The City of Greensboro may provide mobile devices to employees whose jobs require them. It’s up to the employee’s manager to determine if a City -owned mobile device is justified. 2) The use of personally owned devices to access the City’s systems and applications may be allowed. If the employee uses a personally- owned mobile device to access the City’s systems and applications, the employee must agree to the terms and conditions defined in the “Personally - Owned Mobile Device Agreement” to conti nue to have access. If the employee does n ot agree to the terms and conditions, their access to City’s systems and applications from their personally owned mobile device will be blocked.

Cyber Security Policy Manual

27

3) City-owned mobile devices are the property of the City and must be returned to the City immediately upon request. 4) The City is not responsible for any personal information stored on a City-owned device that may be lost or deleted. 5) Job responsibilities may require employees to occasionally be available after normal business hours. Non-exempt employees may be allowe d to access the City’s systems and applications from their mobile devices after normal business hours if their manager approves. Time worked after normal business hours will be compensable according to FLSA and City policy. Any unapproved time worked after normal business hours will be compensated as required by FLSA. An employee working without approval from the supervisor may be subject to corrective action up to and including dismissal. 6) All applicable laws including all such laws restricting the use of mobile devices while driving must be observed. If an employee is charged with traffic violations resulting from the use of City-owned mobile device while driving, the employee will be solely responsible for all liabilities that result from such action. 7) The mobile device must not be used for any illegal, unauthorized, unintended, unsafe, hazardous or unlawful purposes, or in any manner prohibited by laws and regulations. 8) Employees must refrain from connecting their mobile devices to public Wi-Fi networks because they lack the required security controls to protect mobile devices from becoming compromised through malicious devices that may be on the same Wi-Fi network. 9) Rooted or jail- broken mobile devices will be blocked from accessing the City’s systems and applications. 10) Access to the mobile device must be protected with a passcode, Face ID, pattern matching or other types of authentication mechanisms. 11) Any security controls that may have been applied to the mobile device to protect the City’s information must not be circumvented. If an attempt to circumvent a security control is detected, the device will be blocked from accessing the City’s systems and applications. 12) Only Apps with good reputation from reputable sources are to be installed on the mobile device. 13) Employees are not permitted to install personal apps on City-owned mobile devices. This includes social media, dating, shopping and other types of personal apps. 14) Lost or stolen mobile devices must be reported immediately to the IT Service Desk at 373 2322 or by emailing the Cyber Security Team at securityincidents@greensboro-nc.gov. 15) A stolen mobile device will immediately be remotely erased to prevent access to sensitive information. 16) An attempt will be made to locate a lost mobile device. If the attempt fails, the mobile device will be remotely erased. 17) New Operating System (OS) updates must not be installed until approved by IT. 18) Security updates must be applied immediately when asked to do so by IT.

Cyber Security Policy Manual

28

19) All City information must be removed from the mobile device before it is given to any third party for service, repair or replacement. 20) In the event of employee separation from the City, the City’s information will be remotely or locally erased from the mobile device.

Cyber Security Policy Manual

29